CrystalDiskInfo 9.0.1a Standard Ed (Zip): VirusTotal Flagged JMS56x.dll

Topic

New Reply

Hi.

So I went to the official website for CrystalDiskInfo (https://crystalmark.info/en/download/#CrystalDiskInfo) and downloaded the newest version (9.0.1a) Standard Edition (zip) version. Then I checked the SHA256 hash values from the author’s download page to the zip file I have (using powershell) and they matched, so all good so far. Then I extract the files to a temporary folder on the desktop and check the program files, .ini files, and .dll files on VirusTotal. That’s when I get this result when checking JMS56x.dll:

I suspect this is a false positive from Webroot, but out of an abundance of caution I thought I would ask folks here: is that the case? Is CrystalDiskInfo safe to use in this case?

I also scanned said temporary folder with MS Defender and Malwarebytes Free 4.5.30 and both didn’t find any threats. I also made sure to check and see that the app was digitally signed, which it is.

I haven’t run the program yet, it is just sitting in the folder on the desktop. I also (for the fun of it) downloaded the same file from OlderGeeks.com and compared the SHA256 hash values and (as I assumed) they are the same. (I used VirusTotal’s hashes to compare the two. It turns out that VirusTotal’s hash function is just as good as powershell’s, and a little easier to use.) So this would be an issue, if it is one, regardless of which website I got this download from, from the two websites above.

So back to my question: do folks here think this is just a false positive? If not, I may need to “bite the bullet” and use WD’s drive utilities. (I’ve got an external HDD that is starting to make a little bit of noise, and has me concerned.)

Thanks.

1 user thanked author for this post.

geekdom

Reply | Quote

Replies

It is false positive.

I use CrystalDiskInfo Portable 9.0.1a (no need to spread files all across the system)

1 user thanked author for this post.

sdanr

Reply | Quote

Alex5723 wrote:

I use CrystalDiskInfo Portable 9.0.1a (no need to spread files all across the system)

CrystalDiskInfo9_0_1a.zip is the portable from https://crystalmark.info/en/download/#CrystalDiskInfo

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

sdanr

Reply | Quote

Give it a couple of days and check again, the false positive will have been resolved.

cheers, Paul

1 user thanked author for this post.

sdanr

Reply | Quote

Interestingly, I couldn’t even find a JMS56x.dll file in the expanded ZIP.

I scanned the ZIP file using VirusTotal which found zero infections and only 9 DLLs in the package – 3 in the root folder and 6 in a DLL folder, none of which were named JMS56x.dll.

2 users thanked author for this post.

sdanr, geekdom

Reply | Quote

Interestingly, I couldn’t even find a JMS56x.dll file in the expanded ZIP.

Sorry about that. After reading geekdom’s post below, I realized what I did. I scanned JMS56x64.dll, got the above flagged result, and proceeded to post here using VirusTotal’s name for the file, hence the “JMS56x.dll” in the title, rather than using the actual name of the file from the zip archive. My bad.

I scanned the ZIP file using VirusTotal which found zero infections

I did this as well, after confirming the SHA256 hash values. And got the same result. How reliable are antivirus scanners with compressed files, though? I’ve heard some say that scanners can read such file formats successfully, and others say that they can’t.

I’m also curious what to make of these results from VirusTotal:

(I double-checked these file names with VirusTotal, and they are the same as the actual files in the zip archive this time. 🙂 ) I know what the green ring means, and a red spot on the ring, but a blue ring? My cursory search for an answer hasn’t turned up anything.

Edit: removed a little unnecessary extra html code

Reply | Quote

I don’t find JMS56x.dll in the CdiResource\DLL folder. However, I do find JMS56x64.dll which when (DLL folder is extracted and and the file then) tested with VirusTotal is flagged as JMS56x.dll with the WebRoot notification.

JMS56x86.dll shows as JMS56x.dll in VirusTotal with no flags.

JMS56xA64.dll shows as JMS56x.dll in VirusTotal with no flags.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

sdanr

Reply | Quote

I don’t find JMS56x.dll in the CdiResource\DLL folder. However, I do find JMS56x64.dll which when (DLL folder is extracted and and the file then) tested with VirusTotal is flagged as JMS56x.dll with the WebRoot notification.

Thanks for catching this. Yes, after reading your response, I realized what I did, but rechecked the files to be sure. “JMS56x64.dll” is the actual name for the file in question from the zip archive, that got flagged. I used VirusTotal’s name for the file in my post title by mistake. And I confirmed the same result you got. Sorry for any confusion on that.

JMS56x86.dll shows as JMS56x.dll in VirusTotal with no flags.

Also important to point out, considering my earlier flub.

JMS56xA64.dll shows as JMS56x.dll in VirusTotal with no flags.

This one came back as “JMB39x.dll” for me. Both came back without flags for me, also. In fact, only JMS56x64.dll came back with any flags at all, out of the files I tested. (I didn’t try testing all the .png files.)

Any idea why VirusTotal sometimes changes the name of files that are stored locally to something else in their results? It didn’t change the names for, say, “MimeKit.dll” or “System.Buffers.dll” in the same archive. (These results can be seen in my response above #2570896.) But it did for others in the same archive. Maybe these names are what VirusTotal calls the files internally on their own database?

Reply | Quote

sdanr wrote:

How reliable are antivirus scanners with compressed files

Very, assuming it is a standard zip format. Zip / 7-Zip are well known formats and any AV worth its salt will be able to open them and scan the files.

cheers, Paul

1 user thanked author for this post.

sdanr

Reply | Quote

Under the circumstances, it might be wise to inform CrystalDiskInfo of the “virus” notification in VirusTotal. False positive or not false positive is their call to make.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

sdanr

Reply | Quote

sdanr wrote:

Sorry about that. After reading geekdom’s post below, I realized what I did. I scanned JMS56x64.dll, got the above flagged result, and proceeded to post here using VirusTotal’s name for the file, hence the “JMS56x.dll” in the title, rather than using the actual name of the file from the zip archive. My bad.

No worries. The consensus of opinion appears to be that we have nothing to worry about. I also note that the ZIP file was first interrogated a while ago by VirusTotal and the hashes have remained consistent. Nothing malicious has been found by VirusTotal in any one of the DLLs compiled for the 3 different architectures based on the JMS56x ‘parent’.

sdanr wrote:

Any idea why VirusTotal sometimes changes the name of files that are stored locally to something else in their results? It didn’t change the names for, say, “MimeKit.dll” or “System.Buffers.dll” in the same archive.

IMO it’s not VirusTotal changing the names of files. It’s just how DLLs for different architectures handle what is essentially the same code but with minor changes based on internal differences to bus connections. VirusTotal just shows the base name ‘cos, essentially, the code functionality is the same –  despite minor hardware differences.

I’m going to continue using this version of CrystalDiskInfo with no concerns at all.

1 user thanked author for this post.

sdanr

Reply | Quote